From owner-freebsd-ports-bugs@FreeBSD.ORG Fri Apr 3 06:50:01 2009 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8A427106566B for ; Fri, 3 Apr 2009 06:50:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 645F28FC12 for ; Fri, 3 Apr 2009 06:50:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n336o1Ki027493 for ; Fri, 3 Apr 2009 06:50:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n336o17a027492; Fri, 3 Apr 2009 06:50:01 GMT (envelope-from gnats) Resent-Date: Fri, 3 Apr 2009 06:50:01 GMT Resent-Message-Id: <200904030650.n336o17a027492@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Sergey Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 909CF106566C for ; Fri, 3 Apr 2009 06:48:30 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 735E18FC08 for ; Fri, 3 Apr 2009 06:48:30 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n336mTQE086466 for ; Fri, 3 Apr 2009 06:48:29 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id n336mTGm086465; Fri, 3 Apr 2009 06:48:29 GMT (envelope-from nobody) Message-Id: <200904030648.n336mTGm086465@www.freebsd.org> Date: Fri, 3 Apr 2009 06:48:29 GMT From: Sergey To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: ports/133333: ClamAV Milter passes 'Worm.Mydoom.I' and this virus turns Milter socket to error state X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Apr 2009 06:50:01 -0000 >Number: 133333 >Category: ports >Synopsis: ClamAV Milter passes 'Worm.Mydoom.I' and this virus turns Milter socket to error state >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Apr 03 06:50:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Sergey >Release: FreeBSD 6.3-RELEASE #0 >Organization: >Environment: FreeBSD mail.mydomain.ru 6.3-RELEASE FreeBSD 6.3-RELEASE #0: Mon Dec 22 11:03:36 MSK 2008 root@mail.mydomain.ru:/usr/obj/usr/src/sys/CUSTOM_KERNEL i386 >Description: ClamAV is running as a milter for sendmail Version 8.14.2 Problem appeared after the update of ClamAV from 0.94.2 to 0.95. Normally ClamAV rejects viruses like: clamd.log: Apr 3 04:20:17 gw-1 clamav-milter[82788]: Message n330KFwi084209 from <> to with subject 'Mail delivery failed: returning message to sender' message-id '' date 'Thu, 02 Apr 2009 19:20:12 -0500' infected by Worm.SomeFool.P maillog: Apr 3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: from=<>, size=43403, class=0, nrcpts=1, msgid=, proto=ESMTP, daemon=IPv4, relay=mx.mydomain.ru [194.186.213.3] Apr 3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: Milter change (add): header: X-Virus-Scanned: clamav-milter 0.95 at mail.mydomain.ru Apr 3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: Milter change (add): header: X-Virus-Status: Infected (Worm.SomeFool.P) Apr 3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: Milter: data, reject=550 5.7.1 We don't receive viruses like Worm.SomeFool.P Apr 3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: to=, delay=00:00:02, pri=73403, stat=We don't receive viruses like Worm.SomeFool.P But when it meets Worm.Mydoom.I the behaviour changes to: clamd.log, just: Apr 3 08:14:23 gw-1 clamd[39534]: fd[10]: Worm.Mydoom.I FOUND maillog: Apr 3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: from=, size=31040, class=0, nrcpts=1, msgid=<200904030414.n334EMWU090084@gw-1.caotus.ru>, proto=ESMTP, daemon=IPv4, relay=gw-3.caotus.ru [194.186.213.3] Apr 3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: Milter change (add): header: X-Virus-Scanned: clamav-milter 0.95 at mail.mydomain.ru Apr 3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: Milter change (add): header: X-Virus-Status: Infected (Worm.Mydoom.I) Apr 3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: milter_sys_read(clmilter): cmd read returned 0, expecting 5 Apr 3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: Milter (clmilter): to error state Apr 3 08:14:23 gw-1 sm-mta[90085]: n334EMWU090084: , delay=00:00:01, xdelay=00:00:00, mailer=local, pri=151427, relay=local, dsn=2.0.0, stat=Sent As the result ClamAV antivirus: 1. Passes the infected e-mail to local users 2. Stops anti-virus scanning of e-mails and begins cheching after restart, until it catches the next Worm.Mydoom.I >How-To-Repeat: 1. Turn on mail server, which uses ClamAV Milter; 2. Send via this e-mail server some test letters, contains viruses (one of them, but not first and not the last must be Worm.Mydoom.I); 3. Read clamd.log and maillog >Fix: As a temporary, rather bad fix I've have to fall back on ClamAV-0.94.2. >Release-Note: >Audit-Trail: >Unformatted: